Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Google indicates that Apple has corrected the security vulnerabilities used by Corona in the latest versions of its mobile operating system, iOS 26so its exploit techniques have been confirmed to only work against iOS 13 through 17.2.1. It targets vulnerabilities in Apple’s Webkit framework for browsers, so Safari users on those older versions of iOS will be vulnerable, but there are no proven techniques in the toolkit to target Chrome users. Google also notes that Coruna checks whether iOS devices have Apple’s stricter security settings, known as Lock modeis enabled, and does not attempt to hack it if so.
Despite these limitations, iVerify says the coronavirus has likely infected tens of thousands of phones. The company consulted with a partner who had access to network traffic and counted visits to the command and control server for the cybercriminals’ version of the coronavirus infecting Chinese-language websites. The volume of these communications, iVerify says, suggests that approximately 42,000 devices may have already been compromised using the toolkit in the for-profit campaign alone.
It remains unclear how many other victims the coronavirus may have infected, including Ukrainians who visited sites infected with the code through the suspected Russian spying operation. Google declined to comment beyond its published report. Apple did not immediately provide comment on the Google or iVerify findings.
In iVerify’s analysis of the cybercrime version of Coruna — which did not have access to any of the previous versions — the company found that the code appeared to have been modified to plant malware on target devices designed to drain cryptocurrency from cryptocurrency wallets as well as steal images and, in some cases, emails. However, these additions were “poorly written” compared to the core Corona toolkit, according to Spencer Parker, chief product officer at iVerify, who found them to be impressively polished and modular.
“Oh my God, this stuff is very professionally written,” Parker says of the vulnerabilities in the coronavirus, noting that the more egregious malware was added by cybercriminals who later obtained that code.
As for evidence pointing to Corona’s origins as a US government toolkit, iVerify’s Cole points out that it’s possible that Corona’s code overlaps with the triangulation code that Russia installed on American hackers, and could rely on triangulation components being captured and repurposed after they were discovered. But Cole finds this unlikely. He points out that many of the components of Corona have not been seen before, and the entire toolkit appears to have been created by “a single author,” as he puts it.
“The framework holds together very well,” says Cole, who previously worked at the NSA, but points out that he has been out of government for more than a decade and is not basing any findings on his old knowledge of American hacking tools. “It appears to be written as a whole. It doesn’t appear to be put together.”
If the coronavirus is, in fact, an American hacking toolkit that went rogue, how it ended up in foreign and criminal hands remains a mystery. But Cole points to an industry of intermediaries who may pay tens of millions of dollars for instant hacking techniques that they can resell for espionage, cybercrime or cyberwarfare. It is worth noting that Peter Williams, CEO of the US government contractor Trenchant, was sentenced this month to seven years in prison for fraud. Selling hacking tools to Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memorandum notes that Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governments – the US, UK, Australia, Canada and New Zealand – although it is not clear what specific tools he sold or what devices they targeted.
“These zero-day and exploitative brokers tend to be unscrupulous,” Cole says. “They sell to the highest bidder, and then they double-cut. A lot of them don’t have exclusive arrangements. That’s probably what happened here.”
“One of these tools ended up in the hands of a non-Western exploitation broker, and they sold it to whoever was willing to pay,” Cole concludes. “The genie is out of the bottle.”